rmannibucau commented on PR #7: URL: https://github.com/apache/geronimo-jwt-auth/pull/7#issuecomment-1930183897
@ArneLimburg no blocker for me but a few open points - see it the way I would have done it so I'd love to ensure it got reviewed before we integrate the code: * do we want to support more than RSA keys (https://github.com/yupiik/fusion/blob/master/fusion-jwt/src/main/java/io/yupiik/fusion/jwt/JwtValidatorFactory.java#L91 can be a sample) * do we want to load it at startup - postconstruct - and use it at need at runtime - loadKey - (ie https://github.com/apache/geronimo-jwt-auth/pull/7/files#diff-6cae8d1e2c724e267297472eb5909c6ecd132a7447d1af4924cb65de04940c73R148 becomes a HttpClient with a pool of 1 thread doing a sendAsync, storing the completionstage and blocking on it at runtime to ensure keys are there - since sadly API is not designed to be reactive)? * we likely want to refresh the keys from time to time to avoid to force a restart of the app to handle key rotation (in particular when it is everyday for ex) * I don't see the filtering on "sig", is it intended - maybe I missed it but don't think the spec supports enc yet? Wdyt? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@geronimo.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
